Categories: CyberHoot

HowTo: Fix False Opens and Clicks in AttackPhish Reports

Why Does My AttackPhish Report Show Users Opening and Clicking Emails They Never Saw?

Table of Contents

Overview

If you’re seeing users listed as having opened and clicked phishing emails within seconds, or even before they could have possibly opened them, don’t worry. Your users aren’t lying, and nothing is broken. What you’re seeing is a byproduct of modern email security tools doing their job.

What’s Happening

Many email security solutions such as Microsoft

Sponsored

Defender for Office 365, Barracuda, Mimecast, and Proofpoint include features like Safe Links, URL Protection, or Link Scanning.

When a simulated phishing email from CyberHoot’s AttackPhish module arrives, these systems automatically:

Open the message in a secure sandbox to inspect its contents.
“Click” every link in the email to verify it’s safe before delivering it to the user’s inbox.

These automated scans trigger the same tracking mechanisms CyberHoot uses to record legitimate user activity. The result is that your report may show:

The email was opened seconds after delivery.
A link was “clicked” within the same minute.
Multiple users showing identical timestamps.

Why This Happens

Automated link scanners mimic user clicks.
Security gateways follow embedded URLs to check for malicious redirects.
Tracking pixels are loaded during this process, falsely marking messages as opened.

In short, your security system (not your user) is the one “clicking.”

How to Fix It

To ensure your AttackPhish reports accurately reflect real user behavior, you’ll need to allow CyberHoot’s phishing simulations to pass through your email filters without sandbox inspection.

Follow the guide below for M365:

Summary

False “opens” and “clicks” in AttackPhish reports are almost always caused by link-scanning technologies doing what they’re designed to do: protect your users. Once CyberHoot’s domains or headers are allow-listed, you’ll see accurate results that reflect genuine user behavior.

The post HowTo: Fix False Opens and Clicks in AttackPhish Reports appeared first on CyberHoot.

HowTo: Allow-List CyberHoot’s AttackPhish Simulation Servers in M365

Detailed Instructions From Microsoft:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwideOnce you click the link above, follow the instructions under the “Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy” heading. Detailed Instructions From CyberHoot:Allow-List by X-Header in M365Once you click the link above, make sure to follow all the…

May 29, 2025

In "CyberHoot"